What is the correlation between these programs? **tcpd** and **inted**/**rinetd** are very old but despite this they are still present in many distributions ... why? And there is also a correlation between hosts.allow and hosts.deny with **tcpd** but i noticed that these files are present even when **tcpd** is not installed ... (trying with the command **dpkg** also noticed that hosts.allow/deny is not correspond to no package) ... well .. a mess. Who helps me clarify? Thanks

As someone who had no experience dealing with Unix or Linux before about 6 months ago, I'm feeling pretty comfortable with managing a Linux server now. The one question I do have is about DenyHosts, and how it's sending out reports. Firstly, I get about 3 to 4 DenyHosts reports **a day**. My first question is, is it really true that that many people are trying to brute-force my server? Every time someone is locked out, I get an email that a host has been denied access, which isn't that important to me, as I'm the only human user on the system. Is there a better way to handle the flood of emails coming to me, or a better way to stop people from trying to gain access to my server? Currently I have all of my root email forwarded to an actual email address, so I don't have to login via SSH to read it. (Root login is disabled, so I login as myself and sudo su into root. Any insight into this would be much appreciated.

I want to host a web based OpenERP application in a VPS Ubuntu 12.04 OS application. Can I restrict the application access to only assigned machines? In other words, I have 2 offices, and I need to restrict my employees from accessing this application only from office, but not from their home or outside in order to prevent losing my customer data. I think host-deny and host-allow might be able to work. But I think we need static IP address for the same. I am not sure above solution. Basically I am looking for a solution without using static IP address.

I installed DenyHosts, which is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). It did not even finish installing and everyone connected to server got disconnected. I rebooted the server from the server control panel(Host). I was able to webmin and other stuff like web and SSH from another IP using my phone's hotspot, but on my PC and other PCs at home I can't. The package has been removed. Now, how should I be able to SSH again from my PC?

I installed *Denyhosts* and then my permanent ip was partially blocked for some reason ("partially" blocked because while I couldn't ssh or ftp, I was able to http into my sites). I deleted *Denyhosts* and was still blocked so I logged in from another computer with another ip and removed my ip from /etc/hosts.deny. Then, I was no longer blocked and ssh'd successfully. Yet, for some reason I became partially blocked again and had to repeat the process. My question ----------- My question can be comprised of the following questions: 1. Why did /etc/hosts.deny not deleted when I did apt-get purge denyhosts? 2. Is it safe to fully remove /etc/hosts.deny so that only iptables will block ip's?

I recently noticed in my logwatch emails from a couple of servers that although denyhosts was doing its job for some brute force root ssh login attempts others seem to be ignored and continue to pester SSH with 1000s of attempts per day. I have sshd_config set to PermitRootLogin no so not a great worry, but still a concern... After a bit of investigation I noticed that logwatch was also warning me of *Unmatched Entries* for these same IPs that all take the form of: PAM {X} more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost={SUSP.NET.IP.ADDR} user=root : {MANY} time(s) Whereas the IPs that do get banned do not have these entries. A bit of searching pulled up [this exchange on the DenyHosts mailing list](http://sourceforge.net/p/denyhosts/mailman/message/33238788/) from January this year which suggests at least one other person has noted this issue but no solution. After reading the FAQ top to bottom I looked at the DenyHosts/regex.py thinking I might be able to change a REGEX in the conf file. It seems to me as though the default regexes should already be matching *other* lines in the log file for the IP that is slipping through denyhosts grasp; and therefore banning it anyway, but that does not seem to be happening. So before I pull out my Python hat I thought it might be worth posting here to see if someone else has already come across and fixed this issue. CentOS 6.5 Python 2.6.6-52.el6 EPEL DenyHosts 2.6-20.el6 More investigation is leading me to the fact that the original SF DenyHosts project is unresponsive and has since been forked - Fedora has updated package from the new fork but these have not made their way across to EPEL...

I want to deny access to a specific URL. It isn't a whole website, it's a specific URL. I want to do it simply so that some applications including browsers can't make requests for it. I tried this: $ cat /etc/hosts 127.0.0.1 http://url_to_block/url_to_block2/url_to_block3 but it didn't help me, for example, in the browser some website keeps on sending the ajax requests to that URL and receiving the responses from it. Why not? How to do it?

With Denyhosts, how can I "whitelist" a known good user by username plus the fact that they have a valid RSA keypair (or in combination with some other known fact about the user such as MAC address)? Some background: On a Ubuntu server, denyhosts is blocking some SSH users (but not all) from logging in. The users are all configured exactly the same -- even using the same Linux user account. Every user has an RSA key pair and logs in via keypair only. No password based SSH logins are allowed. (These are automated SSH logins to an update server.) If I add the problematic users's IP addresses to Denyhost's hosts.allow file (and remove the address from any restricted/deny files), the user can login just like the other users. But none of these users have static IP addresses, so this isn't a solution. Given the fact that these users have a valid RSA key and they have a Linux user account, is there a way I can make denyhosts stop blocking them (without weaking its proper functioning, especially for all the would-be attackers who try to log in with invalid passwords)? Update: I have PasswordAuthentication no and AllowUsers foo@* in /etc/ssh/sshd_config along with the other relevant settings so that my users can only log in with RSAAuthentication. Of course, I could always stop using Denyhosts. But my question is how can I make Denyhosts work the way I intend so I don't have to stop using it.

I'm running dropbear as SSH daemon on Debian (actually Raspbian). I tried setting # /etc/hosts.allow dropbear:192.168.1.1 # my static ip from which I SSH connect to the device and # /etc/hosts.deny ALL:ALL # block all others Then I restarted the whole device. I could still SSH into the device from different IP addresses and even from remote. Did I configure the files wrong or does dropbear not support these two files?

so I'm in a very tricky situation. I've installed denyhosts on my debian machine and suddenly I can't use SSH anymore. Hopefully I could still login through webmin, but with root, so I had to login with another user and then "su". I flushed the IPtables, changed the port of SSH back to 22 (I had it previously changed) and tried to remove denyhosts : aptitude remove denyhosts. It doesn't seem to work: E: Waited for /usr/bin/apt-listchanges --apt || test $? -ne 10 but it wasn't the re E: Failure running script /usr/bin/apt-listchanges --apt || test $? -ne 10 at this point I really don't know what to do, I still can't connect through SSH and I only have this text terminal in webmin that allows me to do it but very slowly. Any idea ? PS: When I do an aptitude upgrade now I get an error: Get:1 http://security.debian.org/ squeeze/updates/main file amd64 5.04-5+squeeze 5 [50.3 kB] Get:2 http://security.debian.org/ squeeze/updates/main libmagic1 amd64 5.04-5+sq ueeze5 [236 kB] Fetched 286 kB in 0s (622 kB/s) dpkg-deb: unrecoverable fatal error, aborting: wait for subprocess tar failed: No child processes close failed in file object destructor: IOError: [Errno 10] No child processes Traceback (most recent call last): File "/usr/bin/apt-listchanges", line 237, in main() File "/usr/bin/apt-listchanges", line 102, in main pkg = DebianFiles.Package(deb) File "/usr/share/apt-listchanges/DebianFiles.py", line 133, in __init__ self.binary = pkgdata.Package AttributeError: ControlStanza instance has no attribute 'Package' E: Waited for /usr/bin/apt-listchanges --apt || test $? -ne 10 but it wasn't the re E: Failure running script /usr/bin/apt-listchanges --apt || test $? -ne 10 A package failed to install. Trying to recover: I get the same kind of error when I do a install or reinstall denyhosts...

I have been trying to figure out this error and searched everywhere with no luck. I have installed DenyHosts on Cygwin and also the DenyHosts daemon but when I try to start the daemon by typing: cygrunsrv -S DenyHosts I get the following error in my DenyHosts.log file: C:\Program Files\Python33\python.exe: can't open file '/usr/share/denyhosts/daemon-control': [Errno 2] No such file or directory I have checked the above path to daemon-control and the file is there. Any ideas?

I have a rather odd problem with my server. For some reason the local hostname for my workstation keeps getting added to the /etc/hosts.deny and when I try to SSH I get:

ssh_exchange_identification: Connection closed by remote host

If I use another workstation and delete my hostname from the file, I have a about a 10 second window to login from my workstation before its added again. My workstation is running Mac OSX Mountain Lion and I'm using ssh from the Terminal. Any idea what could be up or how to find out what's up?

I have denyhosts set up and working on Ubuntu 12.04. It apparently works well, except it is too strict. I can log in from any IP address that I have added to hosts.allow in advance. My sshd_config does not allow password login, only login with keys. However, logging in from a new IP address with my valid RSA key (which works from my known IP addresses), the server shows this msg in /var/log/auth.log: > Jun 23 19:16:31 MyServerName sshd: refused connect from > hostname.comcast.net (XXX.XXX.XXX.XXX) In order to connect, all I have to do is add the new IP address to /etc/hosts.allow. That's it. Then I can log in: > Jun 23 19:45:03 MyServerName sshd: Accepted publickey for > username from XXX.XXX.XXX.XXX port 61236 ssh2 > Jun 23 19:45:03 > MyServerName sshd: pam_unix(sshd:session): session opened for > user username by (uid=0) I have not changed any of the default denyhosts config values and it works really well -- except that it is too strict. (Or does something else read /etc/hosts.allow?) I need to allow any linux user (whose account already exists on the server) to log in from any IP address without making changes on the server in advance (such as adding the IP to hosts.allow). EightBitTony suggests that denyhosts should allow this behavior. In response to EightBitTony, I changed this question and the title.

I recently installed DenyHosts and after a few remote logins I noticed that sshd: 8.23.224.110 had been added to the host.deny file after /var/log/auth.log showed a few sshd: Did not receive identification string from 8.23.224.110. This appears to be no-ip.com. I use ddclient to dynamically update my ip-address to point to my hostname at no-ip.com; something like myhostname@no-ip.org so that instead of having to ssh to a dynamic ip I can always just connect to the above host. I don't understand why 8.23.224.110 would be trying to connect to my ssh service however, can anyone shed some light on this? Is it some kind of by product of me ssh'ing to the no-ip hosted hostname? Is it likely to be problematic now DenyHosts has banned it?